PSW AESM: "Failed to set logging callback for the quote provider library"

[csegarragonz]

Hi,

Using the provided docker image for the aesmd socket results in the warning that it can not set the logging callback for the quote provider library.

Indeed, in line 281 we look for the symbol: sgx_ql_set_logging_callback:

linux-sgx/psw/ae/aesm_service/source/bundles/ecdsa_quote_service_bundle/ecdsa_quote_service_bundle.cpp

Lines 278 to 289 in 0af6a83

	void* handle = get_qpl_handle();
	if (handle != NULL) {
	char *error;
	sgx_ql_set_logging_callback_t ql_set_logging_callback = (sgx_ql_set_logging_callback_t)dlsym(handle, "sgx_ql_set_logging_callback");
	if ((error = dlerror()) == NULL && ql_set_logging_callback != NULL) {
	// Set logging function detected
	ql_set_logging_callback(sgx_ql_logging_callback);
	}
	else {
	AESM_LOG_ERROR("Failed to set logging callback for the quote provider library.");
	}
	}

However, by running nm -D /usr/lib/libdcap_quoteprov.so we see the following symbols defined:

root@308856972d0a:/opt/intel/sgx-aesm-service/aesm# nm -D /usr/lib/libdcap_quoteprov.so | grep sgx_ql
000000000002ea62 T _Z11log_message19_sgx_ql_log_level_tPKc
000000000002eb49 T _Z3log19_sgx_ql_log_level_tPKcz
0000000000023bca T sgx_ql_free_quote_config
00000000000254e2 T sgx_ql_free_quote_verification_collateral
00000000000255db T sgx_ql_free_qve_identity
00000000000254a3 T sgx_ql_free_revocation_info
0000000000025628 T sgx_ql_free_root_ca_crl
00000000000231b6 T sgx_ql_get_quote_config
000000000002564e T sgx_ql_get_quote_verification_collateral
0000000000026568 T sgx_ql_get_qve_identity
0000000000023bf0 T sgx_ql_get_revocation_info
0000000000026a60 T sgx_ql_get_root_ca_crl
00000000000254c5 T sgx_ql_set_logging_function

where the desired symbol seems to be sgx_ql_set_logging_function.

The issue arises becase when running get_qpl_handle() we follow the legacy path:

https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/b6d6145c21e7a452f05838af24b09965ae9b6f10/QuoteGeneration/quote_wrapper/quote/qe_logic.cpp#L244-L269

Indeed, if I build the library from the DCAP sources I can see the right symbol defined:

root@3f6db1e0b09b:/opt/intel # nm -D /opt/intel/sgxdcap/QuoteGeneration/build/linux/libdcap_quoteprov.so | grep sgx_ql
000000000003bac0 T sgx_ql_free_quote_config
000000000003bae0 T sgx_ql_free_quote_verification_collateral
000000000003bbc0 T sgx_ql_free_qve_identity
000000000003bbe0 T sgx_ql_free_root_ca_crl
000000000003ba80 T sgx_ql_get_quote_config
000000000003be50 T sgx_ql_get_quote_verification_collateral
000000000003bb90 T sgx_ql_get_qve_identity
000000000003c340 T sgx_ql_get_root_ca_crl
000000000003bc00 T sgx_ql_set_logging_callback

[llly]

The quote provider library can be provided by Intel or 3rd party to utilize their service.
SGX DCAP provides /usr/lib/x86_64-linux-gnu/libdcap_quoteprov.so.1 in latest libsgx-dcap-default-qpl package.

It's expected error message if not all interfaces in quote provider library are valid, and will not cause a failure.

[csegarragonz]

What I was trying to say is that this is the error you get when building the sample docker image provided in the repo. So maybe the image needs amendment.

[llly]

SGX provides a Dockerfile that doesn't contains DCAP. When you mentioned the sample docker image, do you mean Azure docker image?